Thursday, January 8, 2009

After my previous post, I started a thread in FriendFeed that not only linked to my previous blog post, but included an additional graphic that focused on the dialog box itself (I began to suspect that the message at the bottom left wasn't related to the issue).

In addition to the wise messages urging me NOT to pass my credentials to this suspicious dialog box (I didn't), I also got a couple of comments from FriendFeed user Chacha:

They are having problem with it. A lot of sites are getting this problem.It has to do with an error in the badge

Do not replace twitter.com with some domain that is not Twitter, or your own site! Doing so gives that site access to your user's cookies, and generally allows that site to run any JavaScript they want to on your site. It's better to just remove or comment out your badge for the time being.alanjcastonguay commented

That's not a fix, or even a workaround. You're sending every visitor's browser to do an extra DNS lookup on xxxtwitter.com (which does exist, appears to be a pornographic parking page), and then make an HTTP request to that server, which returns a chunk of html instead of a 404 or javascript blob. User's browser sees script errors trying to execute it. Recommend to instead comment out the script. Sphere: Related Content

After my previous post, I started a thread in FriendFeed that not only linked to my previous blog post, but included an additional graphic that focused on the dialog box itself (I began to suspect that the message at the bottom left wasn't related to the issue).

In addition to the wise messages urging me NOT to pass my credentials to this suspicious dialog box (I didn't), I also got a couple of comments from FriendFeed user Chacha:

They are having problem with it. A lot of sites are getting this problem.It has to do with an error in the badge

Do not replace twitter.com with some domain that is not Twitter, or your own site! Doing so gives that site access to your user's cookies, and generally allows that site to run any JavaScript they want to on your site. It's better to just remove or comment out your badge for the time being.alanjcastonguay commented

That's not a fix, or even a workaround. You're sending every visitor's browser to do an extra DNS lookup on xxxtwitter.com (which does exist, appears to be a pornographic parking page), and then make an HTTP request to that server, which returns a chunk of html instead of a 404 or javascript blob. User's browser sees script errors trying to execute it. Recommend to instead comment out the script.